IETF Logo Mail Archive

[TLS] Re: draft-ietf-tls-dtls-rrc-13 ietf last call Opsdir review

Thomas Fossati <thomas.fossati@linaro.org> Wed, 11 June 2025 07:23 UTC

Return-Path: <thomas.fossati@linaro.org>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id DBF41338330F for <tls@mail2.ietf.org>; Wed, 11 Jun 2025 00:23:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=linaro.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KpSW9GVa9WI6 for <tls@mail2.ietf.org>; Wed, 11 Jun 2025 00:23:50 -0700 (PDT)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 498D833832FC for <tls@ietf.org>; Wed, 11 Jun 2025 00:23:50 -0700 (PDT)
Received: by mail-ej1-x634.google.com with SMTP id a640c23a62f3a-ad51ba0af48so123990466b.0 for <tls@ietf.org>; Wed, 11 Jun 2025 00:23:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1749626629; x=1750231429; darn=ietf.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=odDI3onXlPFHcX6cSQQGBjFtYBo7OE0vx1SuisoSJU0=; b=cgrJRwwWt6DaG/wumzwgnhPY0MoC976VfIYWcrHMLZYccUMHbXyNT1SmlA0jeNAtuK 5EzlC6EGXAltiDiLMOBa7SAs5iMo5jJwnqKoAHQ9kNFKr8oSppPpOLmy5DLwnzuSAqAD 0ZYOwbOUb5XtvlcltlwnqNk0PlPt0aOiBEUraJMalh3IOEfNPxxMhge/MVbfWkr0RhWu /+J5dm4wHomPMzBI2gvRgNdFzZsJsI65dvUSxzy8aHTkTS9ZJi1s6JZRRiGsHSFt72V0 s+jqOZOjRNjgQLrtLj35vIbDPYI11DDxSziBPdhSoeCEQsz9Oc18RBOMXCzfDdjpL8zI X5kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749626629; x=1750231429; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=odDI3onXlPFHcX6cSQQGBjFtYBo7OE0vx1SuisoSJU0=; b=SsFx45aQj7p2XT5h1jEbnhPegMylhKG7mzC11unsGCtLOHRTUQ41KMhNtlvh6E7sxe E8Oe3ecy2uQoRzjq5orLLWPyXbwAsO1+TiiXlumZaUN8ciDDaLeCQfYE/jJlteiCoAbG iOrgE4Bp4E6+x2fU2/HngfxPy60XHN1FT7o2t5GKfzG7CEk+tliBuCO9YkBOM4O1LxeW FvjYX5YGiH849rctWkrSmix5w2jXZ1euVbuVIBuaxmWxtU5TSvUVEaNuXFxkc1X4X8Ah Zw7bWNwAGVpGYrNoRUwtHj0n7YEb4jwJ7kzyXG6JewzI5NFMUKUrRBY0qRAu2eU/a8AF UnWA==
X-Forwarded-Encrypted: i=1; AJvYcCXo6Wn8uR1yUsbzvkdiO35z6jVvKIW15PvYMIs5DqNrhZGEYmDRrrdpchAnElwzhHUbrCI=@ietf.org
X-Gm-Message-State: AOJu0YzFkwk1x0H/V4T3Oy2Me/kVXZrROuu7KO6MKje+bt0TWEQx8PtX PfPFciBWZyXoNeXJKePdSHqLXpt0J8C4o1lB+xQfBgU2KdMxu5NLCyf0wzI3lnHxaYk=
X-Gm-Gg: ASbGnctm+cZUKI6TfGzbHQJINZmxOpfiwcis2KOd50RAxHiLFzyuk6LfkGBMgicvIRG 1uQUIZyvS8vRP2pAyPKQFt9JgsicZ19jZyMbgxVnNNLk4ADtkEHN1dsoaQS7zUn9AYlmBAmKHm1 FWt21a6dWuRsjg7EynWB80Qk1XkOG53C8/PRWrYuUgT4Ayv1COJd+zgwHHKi2xzKcoYo26OXTUw KEpMyBfGoTqmMllnWMUsyf8PQ4v6MhwpRE6Bjxc2nnoZdzi/oEXFj3r2FGpb8yzv/4GPbh6aoAr G/XdFjj3SW2qvpvxhmbIwK1aF5F3q4bv4PheTT9MoxUFIJmCFNOYER2ekrY4wY/2giH7hVSATQ5 agqqFwQe+wEp5EZNr
X-Google-Smtp-Source: AGHT+IHY1NlWqqisu/HW2bRKgnGETQhL+cGI5Yx/Qb0hlC8y9WlkC+24j2VUh6BCSZbZNUv0vkdzCg==
X-Received: by 2002:a17:906:fd87:b0:ad2:27b1:7214 with SMTP id a640c23a62f3a-ade8996664cmr225927066b.17.1749626629153; Wed, 11 Jun 2025 00:23:49 -0700 (PDT)
Received: from tho-mbp.home ([2a02:1210:6ac5:f500:bdc9:8ce9:4198:5e40]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ade1d754896sm835130166b.36.2025.06.11.00.23.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Jun 2025 00:23:48 -0700 (PDT)
Date: Wed, 11 Jun 2025 09:23:47 +0200
From: Thomas Fossati <thomas.fossati@linaro.org>
To: "Joe Clarke (jclarke)" <jclarke@cisco.com>
Message-ID: <4l3xuc4rvuii5ipda6l4733lej3bdispso4pxeq3yfr5zbudw3@vzzzrwour6k6>
References: <174861905887.2180719.14373569691399942951@dt-datatracker-59b84fc74f-84jsl> <pwsk5h3ttgqwmy25cixb7urjyyrudfja6ejgcstpksogr2tryl@top3oe6lebeq> <CH2PR11MB8867EE4132033FD6D0FF354EB86DA@CH2PR11MB8867.namprd11.prod.outlook.com> <do2iq7fhcn2xcficefbmu75klnnruperj35k3nigtgjrc6n7jr@s34djejwpsql>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <do2iq7fhcn2xcficefbmu75klnnruperj35k3nigtgjrc6n7jr@s34djejwpsql>
Message-ID-Hash: DT6F2BUTFA32CTGSSOUXLH4S64BG2OO2
X-Message-ID-Hash: DT6F2BUTFA32CTGSSOUXLH4S64BG2OO2
X-MailFrom: thomas.fossati@linaro.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "ops-dir@ietf.org" <ops-dir@ietf.org>, "draft-ietf-tls-dtls-rrc.all@ietf.org" <draft-ietf-tls-dtls-rrc.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: draft-ietf-tls-dtls-rrc-13 ietf last call Opsdir review
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ESGhykC04SikgJFJa7ZnQExrN5o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Joe,

We have just published -15, which adds an "Operational Considerations"
section [1] that discusses logging anomalies and middlebox interference.

Let us know if you have any questions or further suggestions.

Thanks again for your time, cheers!

[1] https://www.ietf.org/archive/id/draft-ietf-tls-dtls-rrc-15.html#section-10 


On Wed, Jun 04, 2025 at 04:44:26PM +0100, Thomas Fossati wrote:
>Hi Joe,
>
>On Tue, Jun 03, 2025 at 02:21:47PM +0100, Joe Clarke (jclarke) wrote:
>>>When you say, the choice may be offered as a configuration option to the user,
>>>who is the user in this case?  Is this the client, initiator, responder?  This
>>>felt vague to me.
>>
>>What we mean by "user" is the user of the TLS implementation.
>>
>>[JMC] Thanks for the changes.  I’m still wondering where this would
>>need to be.  There are two “users” of a TLS implementation (client and
>>server).  Would this be more of a config on the client side where they
>>wouldn’t want lag (for example)?
>
>ISTM the configurability should be symmetrical, there is no preferred
>angle.
>
>>>My overarching question on the OPS front is, while it might be out of scope for
>>>this document, would it be valuable to mention any operational logging or
>>>statistics that may be required around RRC?  that is, logging RRC failures,
>>>counting the number of times an RRC is needed, recording the time it takes to
>>>validate RRCs?  The details might spawn other work, but noting any interesting
>>>operational events could be helpful for implementors.
>>
>>I am not an OPS person, and I am not particularly familiar with what
>>SNMP/NETMOD provides regarding the export of statistics about TLS/DTLS
>>sessions.
>>I am not familiar with QLOG either, but I guess it might have modelled
>>events that are very similar to what RRC would need and could be used as
>>a starting point.
>>As you say, though, this would be separate work, so I wouldn't know how
>>to act on it at this point other than discussing your intriguing
>>observation with other implementers :-)
>>
>>[JMC] We’re actually working on a revision to RFC 5706 right now 😊 .
>
>Thanks for the reference.  This is a whole new world opening up before
>my eyes! :-)
>
>This also prompted me to look into RFC9312 to see what QUIC has to say
>about path validation.  Its section 4.3 looks like it may contain some
>relevant information, at least conceptually.  In particular, it seems to
>me that the boxes that could interfere with RRC are probably L4+, i.e.,
>load balancers and firewalls, rather than routers or switches.
>Would that be operational consideratiosn worth capturing?
>
>>The specifics would certainly be fodder for new work, but would It be
>>helpful to have a sentence or short paragraph to implementors in this
>>draft that recommends logging RRC failures?  For example, Initiators
>>MAY wish to log any unsuccessful RRC operations for Security
>>Information and Event Management (SIEM) and troubleshooting purposes.
>
>In general, adding metrics about path validation seems like a good
>suggestion.  This applies to both successful and unsuccesful attempts, I
>think.
>It's just a drop in the ocean of stats that a stack might care about,
>but it's a start :-)
>
>As I pointed out upthread, it'd be interesting to have a comprehensive
>look at QLOG and see if we can transplant any of that into (D)TLS.
>
>cheers, t

v2.31.3 | Report a Bug | By Email | System Status